In order to ensure that the downloaded TYPO3 package is an official
package released by the TYPO3 developers, compare the MD5 checksum of
the downloaded package with the checksum stated on the TYPO3 website,
before you extract/install TYPO3. You find the MD5 checksums in the
Wiki (e.g. https://wiki.typo3.org/TYPO3_CMS_8.7.0 for the official TYPO3 version
8.7.0 packages).

Be careful when using pre-installed or pre-configured packages by
other vendors: due to the nature and complexity of TYPO3 the system
requires configuration. Some vendors offer download-able packages,
sometimes including components such as Apache, MySQL, PHP and TYPO3 CMS,
easy to extract and ready to launch. This is a comfortable way to set
up a test or development environment very quickly but it is difficult
to verify the integrity of the components – for example the integrity
of TYPO3 CMS.

A similar thing applies to web environments offered by hosting
companies: system images sometimes include a bunch of software
packages, including a CMS. It depends on the specific project and if
you can trust the provider of these pre-installed images, systems,
packages – but if you are in doubt, use the official TYPO3 packages
only. For a production site in particular, you should trust the source
code published at typo3.org only.